MTI Citrix Environment Security Assessment: Overview
MTI’s experience of testing over 100 Citrix installations has proved in every single test conducted that it is possible to abuse any number of misconfigurations, lockdown oversights, published applications or other software vulnerabilities to break out of the confined environment a user is placed into and access parts of the host or network that a citrix user was never intended to have access to.
Put simply, implementing Citrix without fully understanding how to adequately lockdown the environment can lead to high impact compromises of both the Citrix host and the network it resides on, MTI can help with Citrix Security.
The range of issues identified during assessments includes:
- Gaining read/write access to sensitive financial and trading data (often resulting in a breach of PCI rules)
- Gaining read/write access to restricted drives (breaching basic security principles)
- Gaining access to administrator accounts and user passwords (breaching basic security principles)
- Gaining full access to customer & business databases (breaching DPA & PCI requirements amongst others)
- Ability to send any electronic information out of the business, avoiding content monitoring software (allowing simple data theft)
- Ability to download arbitrary files to the host and install and run Trojan and backdoor hacking tools
We have seen that even for businesses who have invested a considerable amount of time, thought and attention in securing the Citrix platform, high risk vulnerabilities can still be found. As a result we feel confident to state that simply working from hardening guides is not sufficient to secure the Citrix /Windows environments. However, merely applying more and more mitigation measures can often target expenditure in the wrong areas and only address the symptoms, not the causes. Testing is therefore essential to identify the real issues and select the appropriate controls.
If you would like more information regarding our Citrix Environment Security Assessment, please contact the MTI penetration testing team to discuss your requirements.